Chapter 12 – Authentication

question

Weak password – Passwords that use:
answer

Common word as password (e.g., princess) Short password (e.g., desk) Predictable sequence of characters (e.g., abc123) Personal information (e.g., Hannah)
question

Offline cracking
answer

Method used by most password attacks today
question

Offline cracking
answer

With offline cracking attackers steal password digests, load file onto own computers, and attempt to discover passwords by comparing stolen digests with their own created digests (candidates)
question

Passwords – Attacks on Passwords – Brute force attack
answer

Every possible combination of letters, numbers, and characters is used to create candidate digests then matched against those in stolen digest file
question

Passwords – Attacks on Passwords – Dictionary attack
answer

Attacker creating digests of common dictionary words as candidates
question

Passwords – Attacks on Passwords – Pre-image attack
answer

Dictionary attack that uses set of dictionary words and compares it with stolen digests when one known digest (dictionary word) compared to an unknown digest (stolen digest)
question

Passwords – Attacks on Passwords – Birthday attack
answer

Search is for any two digests that are identical
question

Passwords – Attacks on Passwords – Hybrid attack
answer

Variation of dictionary attack. Combines dictionary attack with brute force attack Slightly alter dictionary words by: Adding numbers to the end of the password Spelling words backward Slightly misspelling words Including special characters (@,$,!, or %)
question

Passwords – Attacks on Passwords – Rainbow tables
answer

Creating a large pregenerated data set of candidate digests. Generating a rainbow table requires a signicant amount of time
question

Rainbow tables
answer

______ are much faster than dictionary attacks. Amount of memory needed on attacking machine is greatly reduced
question

Passwords – Attacks on Passwords – Password collections
answer

Stolen passwords now posted on Internet provide key elements for password attacks: Password collections provided attackers insight into strategic thinking of how users create passwords Large corpus of real-world passwords available; because users repeat passwords on multiple accounts, attackers now use these passwords as candidate passwords in their attacks
question

Passwords | Password Defenses (Complexity)
answer

Do not repeat characters (xxx) or use sequences (abc, 123, qwerty). Do not use short passwords; strong password should be minimum of 15 characters in length
question

Password management applications
answer

Programs user can create and store multiple strong passwords in single user vault file protected by one strong master password. Users can retrieve individual passwords as needed by opening user file, thus freeing user from need to memorize multiple passwords
question

Password Defenses (Hashing) – Microsoft Windows operating systems hash passwords – LAN Manager (LM) hash
answer

Instead of encrypting password with another key, password itself is key; LM hash considered very weak function
question

Password Defenses (Hashing) -Microsoft Windows operating systems hash passwords – New Technology LAN Manager (NTLM) hash
answer

More secure password hash algorithm
question

Password Defenses (Hashing) – Key stretching
answer

Specialized password hash algorithms intentionally designed be slower to limit ability of attacker to crack passwords because requires signifficantly more time to create each candidate digest
question

bcrypt and PBKDF2
answer

Two (2) popular key stretching password hash algorithms are
question

Passwords | Password Defenses (Salts)
answer

Random string used in password hash algorithms. Passwords can be protected by adding random string to user’s cleartext password before hashed
question

Common items used for authentication:
answer

Tokens Cards Cell Phones
question

What You Have | Tokens
answer

Typically small device (usually one that can be affixed to keychain) with window display
question

Tokens One-time password (OTP)
answer

Authentication code that can be used only once or for limited period of time
question

Cognitive biometrics Examples
answer

Picture gesture authentication (PGA) for touch-enabled devices Identify specic faces Recall memorable event
question

Behavioral Biometrics
answer

Authentication based on actions that user is uniquely qualified to perform
question

Behavioral Biometrics – Keystroke Dynamics
answer

Attempts to recognize user’s typing rhythm Provides up to 98 percent accuracy
question

Geolocation
answer

If computer in China attempts to access user’s bank’s website this may be an indication that an attacker
question

password
answer

A(n) _______is a secret combination of letters, numbers, and/or characters that only the user should know.
question

token
answer

A(n) _____is typically a small device (usually one that can be afixed to a keychain) with a window display.
question

Geolocation
answer

Authentication that interprets a users physical whereabouts is known as ______________
question

Identity Management
answer

Using single authentication credential shared across multiple networks
question

Federated Identity Management (FIM)
answer

When networks are owned by dierent organizations
question

Single sign-on (SSO)
answer

One application of FIM using one authentication credential to access multiple accounts or applications, e.g.
question

Single Sign-On | Microsoft Account
answer

Introduced in 1999 as .NET Passport, then name changed to Microsoft Passport Network, then Windows Live ID, now ____________
question

Single Sign-On | OpenID
answer

Decentralized open source FIM Does not require specific software to be installed on the desktop. URL-based identity system. One weakness is it depends on URL identier routing to correct server, which depends on domain name server (DNS) that may have its own security weaknesses
question

Single Sign-On | Open Authorization (OAuth)
answer

Permits users to share resources stored on one site with second site without forwarding authentication credentials. Allows seamless data sharing among sites Relies on token credentials. Replaces need to transfer user’s username and password. Tokens are for specific resources on a site for limited time period
question

OpenID
answer

_________ is a decentralized open source Federated Identity Management (FIM) that does not require specific software to be installed on the desktop.
question

token
answer

Open Authorization (OAuth) is an open-source service that authenticates a user on multiple sites using _________ credentials
question

Account Lockout Policy
answer

The Active Directory Domain Service policy that can block a login after a specified number of failed logins over a specified time period is named _____

Get instant access to
all materials

Become a Member